From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id CD4ACD80A20 for ; Mon, 4 Dec 2023 10:55:27 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=zQS7WjVlOVlZqAG6K31kWYFq+RQAJUA7or9aOyGrdkI=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20140610; t=1701687326; v=1; b=ueYuxndFQzQShlrbblPDdCRnHDQWPa/d2f43foOv65XENfkDAzA6QCb0XHeTSRYi184WdsUK vQ+gFRJGGHCUEr4jI+xH9mv7ZJkGElWbCwiQd0KOoS/PhJUkZBkUJkOosALZiRg1fKLKYdAvEPG wRPMnXzUJh5JjWpTXEj2FnAQ= X-Received: by 127.0.0.2 with SMTP id UV42YY7687511x8mTu7OdHQL; Mon, 04 Dec 2023 02:55:26 -0800 X-Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) by mx.groups.io with SMTP id smtpd.web11.66068.1701687325813581869 for ; Mon, 04 Dec 2023 02:55:25 -0800 X-Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-425546ad42fso195641cf.0 for ; Mon, 04 Dec 2023 02:55:25 -0800 (PST) X-Gm-Message-State: BwubkHFw9Sqmri6gnzXbmjIWx7686176AA= X-Google-Smtp-Source: AGHT+IEH42d1IhMqmM0WZsjKK7SSdz6hnDRDCYwiKjrZCFKblstQlJqv4U+mimh6ftUqNv+9ITGP1vHix0c8BiyYqLM= X-Received: by 2002:ac8:580d:0:b0:421:c480:11f with SMTP id g13-20020ac8580d000000b00421c480011fmr672684qtg.0.1701687324545; Mon, 04 Dec 2023 02:55:24 -0800 (PST) MIME-Version: 1.0 References: <20231204095215.1053032-1-ardb@google.com> <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com> In-Reply-To: <0d62a08e-a153-447a-acb9-b937a74f35f3@amazon.com> From: "Ard Biesheuvel" Date: Mon, 4 Dec 2023 11:55:13 +0100 Message-ID: Subject: Re: [edk2-devel] [PATCH] ArmVirtPkg: Allow EFI memory attributes protocol to be disabled To: Alexander Graf Cc: devel@edk2.groups.io, Ard Biesheuvel , =?UTF-8?B?TO+/vXN6bO+/vSDvv71yc2Vr?= , Gerd Hoffmann , Oliver Steffen , "Herrenschmidt, Benjamin" Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=ueYuxndF; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) On Mon, Dec 4, 2023 at 11:45=E2=80=AFAM Alexander Graf wr= ote: > > > On 04.12.23 10:52, Ard Biesheuvel wrote: > > From: Ard Biesheuvel > > > > Shim's PE loader uses the EFI memory attributes protocol in a way that > > results in an immediate crash when invoking the loaded image unless the > > base and size of its executable segment are both aligned to 4k. > > > > If this is not the case, it will strip the executable permissions from > > the memory allocation, but fail to add them back for the executable > > region, resulting in non-executable code. Unfortunately, the PE loader > > does not even bother invoking the protocol in this case (as it notices > > the misalignment), making it very hard for system firmware to work > > around this by attempting to infer the intent of the caller. > > > > So let's introduce a QEMU command line option to indicate that the > > protocol should not be exposed at all. > > > > -fw_cfg opt/org.tianocore/DisableMemAttrProtocol,string=3Dy > > > > Cc: L=EF=BF=BDszl=EF=BF=BD =EF=BF=BDrsek > > Cc: Gerd Hoffmann > > Cc: Oliver Steffen > > Cc: Alexander Graf > > Link: https://gitlab.com/qemu-project/qemu/-/issues/1990 > > Signed-off-by: Ard Biesheuvel > > > Could you please add a PCD value that allows us to set the default to > disabled? I believe we want to have at least an interim phase where we > allow the "old" behavior by default, without modification of QEMU > command line issuing components. > The old behavior is a working combination of firmware and QEMU. The problem manifests itself now that QEMU is updating its bundled firmware image. So if the override needs to be on by default, QEMU can take care of that it= self. > I'm happy to leave the default to the new behavior upstream, but with > the PCD value, distributions like homebrew can easily unblock themselves > from updating to the latest edk2 without touching every single > downstream user of QEMU. > edk2 is not a homebrew package. QEMU is, and it bundles the firmware. So the right place to handle this is QEMU, and this patch gives them an opportunity to do so without the need to fork the edk2 source code. Adding a PCD is not going to help - we tried that 7+ years ago with the default memory permissions on LoaderCode vs LoaderData, and the distros simply ignored the upstream GRUB changes and kept carrying their own hacks. I think having an override like the one I am proposing here is as far as I am willing to go in terms of disabling security features to accommodate crap software like shim. > (hint: You really don't want or need shim on ARM. The only reason for > shim is that on most x86 desktop systems, users will have the MS keys > preinstalled. The MS Secure Boot concept however is terribly broken: Any > compromise of any of the MS signed binaries jeopardizes your boot chain. > You're a lot better off installing *only* your distribution's key > material. That way you at least you know who you trust. Just remove > shim. Have a look at how Amazon Linux 2023 did it [2] :)) > I have been saying the same thing since 2013, which is when I implemented secure boot support in Tianocore for AArch64. The distros want shim, and claim they know what they are doing - who am I to challenge that. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112033): https://edk2.groups.io/g/devel/message/112033 Mute This Topic: https://groups.io/mt/102967690/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-